From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751053AbdE2Skx (ORCPT <rfc822;w@1wt.eu>);
        Mon, 29 May 2017 14:40:53 -0400
Received: from mail.free-electrons.com ([62.4.15.54]:34936 "EHLO
        mail.free-electrons.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750921AbdE2Skw (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 May 2017 14:40:52 -0400
Date: Mon, 29 May 2017 20:40:49 +0200
From: Boris Brezillon <boris.brezillon@free-electrons.com>
To: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: linux-mtd@lists.infradead.org, Marek Vasut <marek.vasut@gmail.com>,
        Richard Weinberger <richard@nod.at>, linux-kernel@vger.kernel.org,
        Cyrille Pitchen <cyrille.pitchen@wedev4u.fr>,
        Brian Norris <computersforpeace@gmail.com>,
        David Woodhouse <dwmw2@infradead.org>
Subject: Re: [PATCH] mtd: nand: check ecc->total sanity in nand_scan_tail
Message-ID: <20170529204049.25cb8c30@bbrezillon>
In-Reply-To: <1495687820-30692-1-git-send-email-yamada.masahiro@socionext.com>
References: <1495687820-30692-1-git-send-email-yamada.masahiro@socionext.com>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, 25 May 2017 13:50:20 +0900
Masahiro Yamada <yamada.masahiro@socionext.com> wrote:

> Drivers are supposed to set correct ecc->{size,strength,bytes} before
> calling nand_scan_tail(), but it does not complain about ecc->total
> bigger than oobsize.
> 
> In this case, chip->scan_bbt() crashes due to memory corruption, but
> it is hard to debug.  It would be kind to fail it earlier with a clear
> message.
> 
> Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>


Applied to nand/next.

Thanks,

Boris

> ---
> 
> I was actually hit by this case.
> 
> I wasted half a day until I figured out my coding mistake in my
> Denali driver.  It will be helpful to check this in NAND core.
> 
> 
>  drivers/mtd/nand/nand_base.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> index f4d686192717..14d6a5aa3ee8 100644
> --- a/drivers/mtd/nand/nand_base.c
> +++ b/drivers/mtd/nand/nand_base.c
> @@ -4970,6 +4970,11 @@ int nand_scan_tail(struct mtd_info *mtd)
>  		goto err_free;
>  	}
>  	ecc->total = ecc->steps * ecc->bytes;
> +	if (ecc->total > mtd->oobsize) {
> +		WARN(1, "Total number of ECC bytes exceeded oobsize\n");
> +		ret = -EINVAL;
> +		goto err_free;
> +	}
>  
>  	/*
>  	 * The number of bytes available for a client to place data into